Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
[News.com] (10.24.98) Microsoft yesterday shut down a site hosted by
Softbank Services after discovering that it was revealing private
identification and contact information for 108,000 Microsoft customers.
Softbank's site let users of Microsoft's Money financial management
software upgrade to Money 99 from previous versions of Money. Microsoft
had Softbank Services pull the site yesterday after learning of the
security breach from CNET News.com.
Users trying to access the downed site first received an HTTP error page.
Now the site reads: "We are sorry, but our site is temporarily out of
service. If you would like to place an order for Money 99 or the Financial
Suite please call 1-800-598-2068. M-F 8 a.m.-10 p.m. ET."
Microsoft on Thursday sent out a mass email inviting Money users to order
the software upgrade either online or through a toll-free call. The email
included a unique reservation number nine digits long.
Once at the Softbank Services-hosted upgrade site, users could enter that
number to order the upgrade. However, if they altered one or more of its
digits, they were likely to call up the account of another customer.
While the resulting Web page did not display users' personal information
outright, the pages contained names, phone numbers, email addresses, and
postal addresses in a series of hidden fields. Those hidden fields could
be viewed easily in the document or page source.
News.com was notified of the problem yesterday by Gregor Freund of Bay
Area security software firm Slant.
"You could write a ten-line script and download all that information and
use it for whatever purpose," Freund said. "These are very targeted
addresses."
It was not clear today whether other Microsoft customer databases hosted
by Softbank--or Softbank's other clients --were similarly exposed.
A Microsoft spokesperson suggested that it was probably an isolated
incident. "We have used the service many, many times in many different
ways, and this was the first time that this sort of thing has come to our
attention," the spokesperson said.
Softbank could have secured the site by asking for another piece of
information, such as the customer's zip code, which would have made it
harder to access the accounts by randomly guessing at reservation numbers.
Softbank could not be reached for comment.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Oct 27 09:58:01 1998